Sebastian Singer <sebastian.sin...@kesslar.de> writes: > So I do not want to cut him off the internet completely, just limit > his bandwidth so much that he is throttled if he has reached a set > time limit or else if he reaches a certain amount of gb used. > > So the question is: is pf (ALTQ especially) able to cope with these > requirements? And if how would such rules in pf.conf look? I am by far > no pf guru but have run a OpenBSD SOHO server for about 10 years. So I > think I do have a basic unterstanding of pf matters.
Most if not all queueing options that come to mind (mostly the hfsc ones) only operate on a per connection (per state) level, but it's possible to collect statistics on traffic from a specific IP address, either via rules with labels (see eg [1] onwards) or if the address is part of a table, from the statistics collected on table entries, ie do a pfctl -vt tablename -T show and you'll get something like this per table entry: 219.142.91.125 Cleared: Mon Apr 1 14:54:30 2013 In/Block: [ Packets: 874 Bytes: 51983 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] You could then whip up a script that parses either that or pfctl -vsl output for the labels scenario and if your rules assign traffic to queues based on membership in tables, have your script shift the source address to the table whose traffic gets assigned to a smaller bandwidth queue, and run your script at short intervals from a system crontab. Or in a 'no online games after 10 PM' or similar scenario, have a slightly simpler script do the tables shuffling at a specific time (again assuming you slice your traffic according to table membership). Off the top of my head, I think those are the most workable options, I hope this was a tiny bit helpful. - Peter [1] http://home.nuug.no/~peter/pf/newest/labelstats.html and also covered in The Book of PF (http://nostarch.com/pf2.htm and at better bookstores) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.